forked from cloudfoundry/docs-cf-admin
-
Notifications
You must be signed in to change notification settings - Fork 0
/
cli-user-management.html.md.erb
145 lines (123 loc) · 5.09 KB
/
cli-user-management.html.md.erb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
---
title: Creating and managing users with the cf CLI
owner: CLI
---
You can manage users with the cf CLI. Learn how to view users by role, assign roles, and remove roles from a user.
<%= vars.platform_name %> uses role-based access control, with each role granting
permissions in either an organization or an application space.
For more information, see [Organizations, spaces, roles, and permissions](../concepts/roles.html).
## <a id='understand-roles'></a>About roles
To manage all users, organizations, and roles with the Cloud Foundry Command Line Interface (cf CLI), log in with your
admin credentials. <%=vars.info_loc%>, <%=vars.uaa_cred%> for the admin name and password.
If the feature flag `set_roles_by_username` is activated, Org Managers can [assign org roles](#org-roles) to existing users in their org and Space Managers can [assign space roles](#space-roles) to existing users in their space. For more information about using feature flags, see the [Feature Flags](listing-feature-flags.html) topic.
## <a id='create-user'></a>Creating and deleting users
docs-dev-guide
<thead>
<tr>
<th><strong>FUNCTION</strong></th>
<th><strong>COMMAND</strong></th>
<th><strong>EXAMPLE</strong></th>
</tr>
</thead>
<tr>
<td width='25%'>Create a new user</td>
<td>cf create-user USERNAME PASSWORD</td>
<td><code>cf create-user Alice pa55w0rd</code></td>
</tr>
<tr>
<td>Create a new user, and prompt for password for better security</td>
<td>cf create-user USERNAME --password-prompt</td>
<td><code>cf create-user Alice</code></td>
</tr>
<tr>
<td>Create a new user, specifying LDAP as an external identity provider</td>
<td>cf create-user USERNAME --origin ORIGIN</td>
<td><code>cf create-user Aayah ldap</code></td>
</tr>
<td>Create a new user, specifying SAML or OpenID Connect as an external identity provider</td>
<td>cf create-user USERNAME --origin ORIGIN</td>
<td><code>cf create-user Aiko provider-alias</code></td>
</tr>
<tr>
<td>Delete a user</td>
<td>cf delete-user USERNAME</td>
<td><code>cf delete-user Alice</code></td>
</tr>
</table>
### <a id='create-admin'></a>Creating administrator accounts
To create a new administrator account, use the [UAA CLI](../uaa/uaa-user-management.html#creating-admin-users).
<p class="note">
<span class="note__title"><strong>Note</strong></span>
The cf CLI cannot create new administrator accounts.
</p>
## <a id='orgs-spaces'></a>Org and app space roles
You can have one or more roles.
The combination of these roles defines your overall permissions in the org
and within specific app spaces in that org.
### <a id='org-roles'></a>Org roles
Valid [org roles](../concepts/roles.html#roles) are OrgManager, BillingManager, and OrgAuditor.
<table class="table">
<thead>
<tr>
<th><strong>FUNCTION</strong></th>
<th><strong>COMMAND</strong></th>
<th><strong>EXAMPLE</strong></th>
</tr>
</thead>
<tr>
<td>View the organizations belonging to an account.</td>
<td>cf orgs</td>
<td><code>cf orgs</code></td>
</tr>
<tr>
<td>View all users in an organization by role.</td>
<td>cf org-users ORGANIZATION-NAME</td>
<td><code>cf org-users my-example-org</code></td>
</tr>
<tr>
<td>Assign an org role to a user.</td>
<td>cf set-org-role USERNAME ORGANIZATION-NAME ROLE</td>
<td><code>cf set-org-role Alice my-example-org OrgManager</code></td>
</tr>
<tr>
<td>Remove an org role from a user.</td>
<td>cf unset-org-role USERNAME ORGANIZATION-NAME ROLE</td>
<td><code>cf unset-org-role Alice my-example-org OrgManager</code></td>
</tr>
</table>
If multiple accounts share a username, `set-org-role` and `unset-org-role` return an error. See
[Identical Usernames in Multiple Origins](../cf-cli/getting-started.html#multi-origin) for details.
### <a id='space-roles'></a>App space roles
Each app space role applies to a specific app space.
Valid [app space roles](../concepts/roles.html#roles) are SpaceManager, SpaceDeveloper, and SpaceAuditor.
<table class="table">
<thead>
<tr>
<th><strong>FUNCTION</strong></th>
<th><strong>COMMAND</strong></th>
<th><strong>EXAMPLE</strong></th>
</tr>
</thead>
<tr>
<td>View the spaces in an org.</td>
<td>cf spaces</td>
<td><code>cf spaces</code></td>
</tr>
<tr>
<td>View all users in a space by role.</td>
<td>cf space-users ORGANIZATION-NAME SPACE-NAME</td>
<td><code>cf space-users my-example-org development</code></td>
</tr>
<tr>
<td>Assign a space role to a user.</td>
<td>cf set-space-role USERNAME ORGANIZATION-NAME SPACE-NAME ROLE</td>
<td><code>cf set-space-role Alice my-example-org development SpaceAuditor</code></td>
</tr>
<tr>
<td>Remove a space role from a user.</td>
<td>cf unset-space-role USERNAME ORGANIZATION-NAME SPACE-NAME ROLE</td>
<td><code>cf unset-space-role Alice my-example-org development SpaceAuditor</code></td>
</tr>
</table>
If multiple accounts share a username, `set-space-role` and `unset-space-role` return an error. See
[Identical Usernames in Multiple Origins](../cf-cli/getting-started.html#multi-origin) for details.